CVE-2025-49973

Vulnerability

Overview CVE-2025-49973 is a missing authorization vulnerability in the GrandPlugins Image Sizes Controller WordPress plugin (and its Create Custom Image Sizes / Disable Image Sizes variant). The plugin fails to properly verify access control security levels in certain functions, effectively missing required authorization, authentication, or nonce checks [1]. This class of flaw affects versions through 1.0.10.

Attack

Vector An attacker can exploit this vulnerability by sending crafted requests to the affected plugin endpoints without needing any prior authentication or elevated privileges. Because the plugin lacks proper access control checks, unauthenticated users are able to trigger actions that should be restricted to higher-privileged roles [1]. The vulnerability is considered easy to exploit and is used in mass-exploit campaigns targeting thousands of websites simultaneously.

Impact

Successful exploitation allows an unauthenticated attacker to perform unauthorized actions that result in exploitation of incorrectly configured access control security levels. This could lead to unintended modification of image size settings or other capabilities normally reserved for administrative users, potentially compromising site configuration.

Mitigation

The vulnerability has been addressed in a later version (past 1.0.10). Users are strongly advised to update the plugin immediately to the latest available version [1]. If unable to update, site administrators should seek assistance from their hosting provider or web developer.